This discussion is archived
8 Replies Latest reply: Mar 31, 2008 1:23 PM by 629184 RSS

URL to Different APEX Application Session state protection violation

629184 Newbie
Currently Being Moderated
Hi, I am using the html expression report attribute to link to a different apex application.

href="#URL#:&SESSION.::&DEBUG.::F115_USERNAME:'&F115_USERNAME.':"

I keep getting Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.

I have STATE PROTECTION DISABLED everywhere on both applications.

I am new to apex. Can you link to other apex applications?

We use Apex 2.2

Thanks, Norbert

Thanks,
Norbert,
  • 1. Re: URL to Different APEX Application Session state protection violation
    60437 Employee ACE
    Currently Being Moderated
    Norbert,

    1. Try to reproduce this on apex.oracle.com (3.1).

    2. Take out all that substitution stuff and try the URL exactly as it would be presented to the apex engine.

    3. Run the page in debug mode to see what's happening.

    It looks like you are passing 'XXXXX' to an item named XXXXX in the target application. Why would the application you are linking from have an application item with the same name as the linked-to application? It could, I'm just questioning if your code is correct since it appears that you use an item naming convention that incorporates the application ID.

    Yes, you can link from one application to another. These would have to both be public applications unless you have synchronized the authentication schemes so that both apps can share a session.

    Scott
  • 2. Re: URL to Different APEX Application Session state protection violation
    629184 Newbie
    Currently Being Moderated
    I loaded the application on apex.oracle.com. I finally got it to work. I can pass parameters to another application.

    That raised other questions:

    Why does it always change the session number?

    I would like to save the session number and build security around it.

    My login application passes the session # but when the page displays, it show another session number. I use ldap to do the signin and no authentication when going to the other application. Both applications are public.

    Is there a way to hide the parameters passed in the url?

    thanks
  • 3. Re: URL to Different APEX Application Session state protection violation
    60437 Employee ACE
    Currently Being Moderated
    I don't have a clear description of what you are doing.

    Do the applications belong to the same workspace?

    I use ldap to do the signin and no authentication when going to the other application. Both applications are public.

    That's very unclear.

    Is there a way to hide the parameters passed in the url?

    Not really, why do you want to do that?

    Scott
  • 4. Re: URL to Different APEX Application Session state protection violation
    629184 Newbie
    Currently Being Moderated
    Scott,

    The application I work with does have two different workspaces. It could not be reproduced on oracle.com, but the samething is happening there. I have a different session when using the url link.

    Could you see my application?

    Never mind for the second question.

    Thanks
  • 5. Re: URL to Different APEX Application Session state protection violation
    60437 Employee ACE
    Currently Being Moderated
    Applications must belong to the same workspace to be able to share sessions.

    Could you see my application?

    You gave us no information about it, e.g., workspace ID, application ID, and instructions for using it to observe what you wish to illustrate.

    Scott
  • 6. Re: URL to Different APEX Application Session state protection violation
    629184 Newbie
    Currently Being Moderated
    Workspace NORB_WORKSPACE
    APP_ID: 29293

    User demo
    Password NORB_WORKSPACE

    Then position your cursor on company grouping. You will see the session is passed along with the user and email address. When you click it, it somehow assigns a new session.

    Since your latest post, I tried moving the application in the same workspace but the same thing happens again.

    Thanks,
    Norbert
  • 7. Re: URL to Different APEX Application Session state protection violation
    60437 Employee ACE
    Currently Being Moderated
    Norbert,

    Thank you for posting this example. Your base application uses an authentication scheme with the -DATABASE- keyword in the page sentry function. Your linked-to application had nothing in that field. I switched the linked-to application's current authentication scheme to the DATABASE scheme (which has the -DATABASE- keyword in the right place) and re-ran the test. Now I think it does what you want it to.

    Scott
  • 8. Re: URL to Different APEX Application Session state protection violation
    629184 Newbie
    Currently Being Moderated
    All right, I intentionally made it work without the ldap feature in the authentication scheme so the answer you provided does not proof much.
    I reposted two applications in my workspace for you to look at. (24330 and 24422).

    Here is a summary of the problem I have:
    When going from the login page(4) to the login detail page(5) the session is kept. I would expect the session to carry to application 24330 page 14 when clicking on Case_for_change application URL. This is not happening. I know it has to do with the authentication scheme but i cannot find the problem.

    Here is a DEBUG SESSION:
    0.00: A C C E P T: Request="P4_PASSWORD"
    0.01: Metadata: Fetch application definition and shortcuts
    0.01: NLS: wwv_flow.g_flow_language_derived_from=FLOW_PRIMARY_LANGUAGE: wwv_flow.g_browser_language=en-us
    0.01: alter session set nls_language="AMERICAN"
    0.01: alter session set nls_territory="AMERICA"
    0.01: NLS: CSV charset=WE8MSWIN1252
    0.01: ...NLS: Set Decimal separator="."
    0.02: ...NLS: Set NLS Group separator=","
    0.02: ...NLS: Set date format="DD-MON-RR"
    0.02: ...Setting session time_zone to dbtimezone
    0.02: Fetch session state from database
    0.02: ...Check session 1141326945213588522 owner
    0.02: ...Metadata: Fetch Page, Computation, Process, and Branch
    0.02: Session: Fetch session header information
    0.02: ...Metadata: Fetch page attributes for application 115, page 4
    0.02: ...Check authorization security schemes
    0.02: Session State: Save form items and p_arg_values
    0.02: ...Session State: Save "P4_USERNAME" - saving same value: "ndesroch"
    0.02: ...Session State: Save Item "P4_PASSWORD" newValue="XXXXXXX" "escape_on_input="N"
    0.02: ...Session State: Save Item "P4_DN" newValue="" "escape_on_input="N"
    0.02: ...Session State: Save Item "P4_SAMACCOUNTNAME" newValue="" "escape_on_input="N"
    0.02: ...Session State: Save Item "P4_MAIL" newValue="" "escape_on_input="N"
    0.02: Processing point: ON_SUBMIT_BEFORE_COMPUTATION
    0.02: Branch point: BEFORE_COMPUTATION
    0.02: Computation point: AFTER_SUBMIT
    0.02: Tabs: Perform Branching for Tab Requests
    0.03: Branch point: BEFORE_VALIDATION
    0.03: Perform validations:
    0.03: Branch point: BEFORE_PROCESSING
    0.03: Processing point: AFTER_SUBMIT
    0.03: ...Process "Set Username Cookie": PLSQL (AFTER_SUBMIT) declare l_ldap_host VARCHAR2(256) := 'corp.alldata.net'; l_ldap_port VARCHAR2(256) := '389'; l_ldap_user VARCHAR2(256) := 'XX-XXXXXXXX'; l_ldap_passwd VARCHAR2(256) := 'XXXXXXXX'; l_ldap_base VARCHAR2(256) := 'ou=Users - Default,ou=LOC -
    0.06: ...Session State: Saved Item "P4_DN" New Value="Desrochers, Norbert"
    0.07: ...Session State: Saved Item "P4_SAMACCOUNTNAME" New Value="NDESROCH"
    0.07: ...Session State: Saved Item "P4_MAIL" New Value="Norbert.Desrochers@alliancedata.com"
    0.07: ...Session State: Save Item "G_USERNAME" newValue="NDESROCH" "escape_on_input="Y"
    0.07: ...Session State: Save Item "G_EMAIL" newValue="Norbert.Desrochers@alliancedata.com" "escape_on_input="Y"
    0.07: ...Process "Login": PLSQL (AFTER_SUBMIT) wwv_flow_custom_auth_std.login( P_UNAME => :P4_DN, P_PASSWORD => :P4_PASSWORD, P_SESSION_ID => v('APP_SESSION'), P_FLOW_PAGE => :APP_ID||':5' );
    0.09: ...Process "Clear Page(s) Cache": CLEAR_CACHE_FOR_PAGES (AFTER_SUBMIT) 4
    0.09: Nulling cache for application "115" page: 4
    0.01:
    0.01: S H O W: application="115" page="5" workspace="" request="" session="1141326945213588522"
    0.01: Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
    0.01: alter session set nls_language="AMERICAN"
    0.01: alter session set nls_territory="AMERICA"
    0.01: NLS: CSV charset=WE8MSWIN1252
    0.01: ...NLS: Set Decimal separator="."
    0.01: ...NLS: Set NLS Group separator=","
    0.01: ...NLS: Set date format="DD-MON-RR"
    0.01: ...Setting session time_zone to dbtimezone
    0.01: NLS: Language=en-us
    0.01: Application 115, Authentication: CUSTOM2, Page Template: 26708355402631619
    0.01: ...Supplied session ID can be used
    0.01: ...Application session: 1141326945213588522, user=DESROCHERS, NORBERT
    0.01: ...Determine if user "ADMIN" workspace "13647906578560520" can develop application "115" in workspace "13647906578560520"
    0.01: Session: Fetch session header information
    0.01: ...Metadata: Fetch page attributes for application 115, page 5
    0.01: Fetch session state from database
    0.01: Branch point: BEFORE_HEADER
    0.01: Fetch application meta data
    0.01: Computation point: BEFORE_HEADER
    0.01: Processing point: BEFORE_HEADER
    0.02: Show page template header

    0.02: Computation point: AFTER_HEADER
    0.02: Processing point: AFTER_HEADER


    Then the debug when clicking on case for change:
    0.00:
    0.00: S H O W: application="111" page="14" workspace="" request="" session="1141326945213588522"
    0.00: Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
    0.00: alter session set nls_language="AMERICAN"
    0.00: alter session set nls_territory="AMERICA"
    0.00: NLS: CSV charset=WE8MSWIN1252
    0.00: ...NLS: Set Decimal separator="."
    0.00: ...NLS: Set NLS Group separator=","
    0.00: ...NLS: Set date format="DD-MON-RR"
    0.00: ...Setting session time_zone to dbtimezone
    0.00: NLS: Language=en-us
    0.00: Application 111, Authentication: CUSTOM2, Page Template: 35962935086002277
    Location: f?p=111:14:11610793186494908086::YES::G_USERNAME,G_EMAIL:NDESROCH,Norbert.Desrochers@alliancedata.com:

    Thanks

    Message was edited by:
    user626181